Sean, I'm looking at a different problem, spam-over-http. Here's one event, 406 inserts of the URL paxil-medication.info from a single attack node in a weblog. The insert times and numbers of inserts/minute are below. 07:17 1 09:22 4 09:23 45 09:24 30 09:25 32 09:26 38 09:27 22 09:28 24 09:29 8 09:30 20 09:31 14 09:32 32 09:33 31 09:34 32 09:35 22 09:36 34 09:37 17 The targeted site (my wife's political weblog) is provisioned at 128kb/s, on a dual-processor 1GHz PIII running Freebsd 5.2.1, so the rate limiting factor is b/w, and the upper-bound on the number of writes is the number of posts with "open" comments. The attack node is 151.42.235.185 (IUnet, Italy dhcp-spam-swamp). The Afilias whois data for paxil-medication.info is redily available, the salient points are: a. the registrant Jerry Buckheimer claims domicile in American Samoa, and is the tech-c and admin-c, b. the registrar is Wild West Domains [R213-LRMS], c. the nameservers are ns{1,2}.dataextend.com, [67.15.0.{62,191}] The registrant Tunahan Korkmaz claims domicile in Turkey. These servers are in the address block [CIDR: 67.15.0.0/18] allocated by ARIN to Everyones Internet of Houston TX, and the registrar is NameSecure.com (also tech-c). As a class (I've got more, I'm sure everyone who hosts blogs has too), the attack node(s) are not interesting. Some blogware vendors offer the bandaide of ip address (/32) blocking, and "wait" times between comments to foil robo insertion engines, and so on. More interesting is the benefitting URL, and the NS and registration providers that provide the persistant infrastructure for this form of theft-of-advertizing. The economics of the registration and ns/webhosting business are not so different from the access-isp market, leading to the abuse-desk-vacant syndrome, or worse -- I've got three complaints of this size or larger out to my competitors and they are taking the fill-in-the-web-form approach to this. Other folks with data, or insight, drop me a line. I'll summarize. Eric